ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Quarantines and block lists

2007-01-29 16:03:08
from [Chris Lewis] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

gep2(_at_)terabites(_dot_)com wrote:

[comment #1]


Subject: Re: [Asrg] Quarantines and block lists



Lost Email is any email that is sent but not presented to the user 
and does not generate a DSN to the sender. 


The problem is, in the case of spam as in the case of viruses or worms,
determining WHO the TRUE sender actually is.  It is safe to presume that
it often is NOT the person listed in the From: header.

Therefore, I think we should note under "good practices" that it is NOT
"good practice" to return ANY indication (after the original SMTP-time,
and thus it's pretty much limited anyhow to just going back 'one' level)
regarding mail blocked either as spam, or mail blocked because it
contains worms or viruses.  In both cases, I believe we MUST presume
that the true sender will not be accurately determinable.  To send ANY
kind of a bounce message back is likely to create more harm than good,
probably just haranguing another innocent third party.


If you're doing your spam filtering at the front end, and ALWAYS do
filter hits as inline rejections, then this isn't an issue.

[Yes, there is a small amount of spam going thru "real" MTAs that
produce blowback in such a case.  But this is so rare these days to not
be a concern.  We're averaging less than a complaint a year about
misdirected NDRs (at 1.6M rejected per day).

But obviously, you can't do that in the UA.

Therefore, with UA-level filtering, you _cannot_ provide valid feedback
to legitimate senders unless you tolerate unacceptable levels of
collateral damage.

As sender feedback is critical as a counter-FP measure in most
environments, you're completely screwed if you insist on UA-level
filtering.  Sender feedback is fundamentally incompatible with UA-level
filtering.


The point is that NON-spamtrap addresses get mail through Yahoogroups,
and where you can't tell much or anything about where the E-mail
actually originated.  So do you block Yahoogroups servers by IP address?


No, why would you have to?  But you can, if you wish, use
X-Originating-IP (or analogous headers).


And if you don't do anything about Yahoogroups-forwarded spam, then
you're leaving a gaping hole through which a large quantity of spam can
be sent.


Using DNSBLs doesn't require you to "don't do anything about
Yahoogroups-forwarded" spam.


Again, IP-based detection blocking is nowhere close to viable for such
cases.


So what?


I know that a lot of folks here seem to have a strong emotional
commitment to the basic concept of IP-based blocking, but as unpleasant
as it is to accept, that is simply NOT a very good approach.


It's an excellent approach when used correctly.  Using it _alone_ and
expecting it to work acceptably on _all_ circumstances is not using it
correctly.

As is any other filtering technique.

I have a strong commitment to _effective_ and reliable filtering.
DNSBLs provide part of that answer.  Other methods provide plug the
holes, complement DNSBLS, and deal with things that the DNSBLs can't (or
haven't yet) caught.

10 years ago we started with content filters only, and could only do
extremely limited amounts of IP-based blocking.  As of 2001, that had
simply become totally inadequate.  These days it's about 90% DNSBL, and
10% content.


That's one reason why it's SO critical to put the kibosh on viruses and
worms that recruit the spambot armies... that makes it harder to proxy
the spam transmissions and diversify the origin points.  Slamming the
door on HTML and attachments from unknown senders puts a MAJOR brake on
that, literally overnight, and in a way that is very difficult to
circumvent in any widespread way.


a) it really doesn't put the brakes on.  Think bare text with the
appropriate human engineering and links.

b) slamming the doors on html and attachments from even unknown senders
has a vastly higher FP rate than anything else with "normal" ISP flows.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRb58ip3FmCyJjHfhAQKQagQAqFX3ltddAapiJSqGzUzWB7E2I+MUEAfa
vyANp7DeYr03B4Riff6SacbUJlOcPts2KtMcVdqXrkVFuMR1IjvE7ZLHZAauhJki
FhSlg5BHYHme1fr57KOQDVTw6L4dcGz9R1+PFNc3tKDPz2bnHxLzCClxUhaDrQFp
aZKWp9TmcAU=
=2q0x
-----END PGP SIGNATURE-----

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] How about we do something about spam?, Barry Shein
Next by Date:  Re: [Asrg] How about we do something about spam?, Barry Shein
Previous by Thread:  Re: [Asrg] Quarantines and block lists, Dan Oetting
Next by Thread:  [Asrg] shipnow, David Nicol
Indexes:  [Date] [Thread] [Top] [All Lists]